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Abstract. When a property needs to be checked against an unknown 
or very complex system, classical exploration techniques like model¬ 
checking are not applicable anymore. Sometimes a monitor can be used, 
that checks a given property on the underlying system at runtime. A 
monitor for a property L is a deterministic hnite automaton M l that 
after each finite execution tells whether (1) every possible extension of 
the execution is in L, or (2) every possible extension is in the comple¬ 
ment of L, or neither (1) nor (2) holds. Moreover, L being monitorable 
means that it is always possible that in some future the monitor reaches 
(1) or (2). Classical examples for monitorable properties are safety and 
cosafety properties. On the other hand, deterministic liveness properties 
like “infinitely many a’s” are not monitorable. 

We discuss various monitor constructions with a focus on deterministic 
w-regular languages. We locate a proper subclass of of deterministic lo- 
regular languages but also strictly large than the subclass of languages 
which are deterministic and codeterministic; and for this subclass there 
exists a canonical monitor which also accepts the language itself. 

We also address the problem to decide monitorability in comparison with 
deciding liveness. The state of the art is as follows. Given a Biichi automa¬ 
ton, it is PSPACE-complete to decide liveness or monitorability. Given 
an LTL formula, deciding liveness becomes EXPSPAGE-complete, but 
the complexity to decide monitorability remains open. 


Introduction 

Automata theoretic verification has its mathematical foundation in classical pa¬ 
pers written in the 1950’s and 1960’s by Biichi, Rabin and others. Over the past 
few decades it became a success story with large scale industrial applications. 
However, frequently properties need to be checked against an unknown or very 
complex system. In such a situation classical exploration techniques like model¬ 
checking might fail. The model-checking problem asks whether all runs satisfy a 
given specification. If the specification is written in monadic second-order logic, 
then all runs obeying the specification can be expressed effectively by some Biichi 
automaton (BA for short). If the abstract model of the system is given by some 
finite transition system, then the mo del-checking problem becomes an inclusion 
problem on w-regular languages: all runs of the transition system must be ac¬ 
cepted by the BA for the specification, too. In formal terms we wish to check 
L{A) C L{if) where A is the transition system of the system and (/? is a formula 



for the specification. Typically testing inclusion is expensive, hence it might be 
better to check the equivalent assertion L{A) n L{^ip) = 0. This is a key fact, 
because then the verification problem becomes a reachability problem in finite 
graphs. 

Whereas the formulas are typically rather small, so we might be able to con¬ 
struct the Biichi automaton for the transition systems tend to be very 

large. Thus, “state explosion” on the system side might force us to use weaker 
concepts. The idea is to construct a “monitor” for a given specification. A mon¬ 
itor observes the system during runtime. It is a finite deterministic automaton 
with at most two distinguished states T and T. If it reaches the state T, the 
monitor stops and raises an “alarm” that no continuation of the so far observed 
run will satisfy the specification. If it reaches T, the monitor stops because all 
continuations will satisfy the specification. Usually, this means we must switch 
to a finer monitor. Finally, we say that a language is monitorable, if in every 
state of the monitor it is possible to reach either T or T or both. 

The formal definition of monitorable properties has been given in m by 
Pnueli and Zaks. It generalizes the notion of a safety property because for a 
safety property some deterministic finite automaton can raise an alarm T by 
observing a finite “bad prefix”, once the property is violated. The extension to 
the more general notion of monitorability is that a monitorable property gives 
also a positive feedback T, if all extensions of a finite prefix obey the specification. 
Monitors are sometimes easy to implement and have a wide range of applications. 
See for example |12j and the references therein. Extensions and applications for 
stochastic automata have been proposed in Sistla et ah, see |6ll9j . 

In the present paper we discuss various monitor constructions. A monitor for 
a safety property L can have much less states than the smallest DBA accepting 
L. For example, let S = {a, b} and n S N. Consider the language L = a'^baS'^ \ 
S*bbS‘^. The reader is invited to check that L is a safety property and every 
DBA accepting L has more than n states. But there is monitor with three states, 
only. The monitor patiently waits to see an occurrence of a factor bb and then 
switches to T. Hence, there is no bound between a minimal size of an accepting 
DBA and the minimal size of a possible monitor. This option has been actually 
one of the main motivations to introduce the notion of monitor. 

There are many deterministic languages which are far away from being mon¬ 
itorable. Consider again S = {a,b} and let L be the deterministic language of 
“infinitely many o’s”. It is shown in [3] that L cannot be written as any count¬ 
able union of monitorable languages. On the other hand, if L is monitorable and 
also accepted by some DBA with n states and a single initial state, then there 
is monitor accepting L with at most n states. 

In the last section of this paper we discuss the question how to decide whether 
a language is monitorable and its complexity. If the input is a Biichi automaton, 
then deciding safety, liveness, or monitorability is PSPACE-complete. If the input 
is an LTL formula, then deciding safety remains PSPACE-complete. It becomes 
surprisingly difficult for liveness: EXPSPACE-complete. For monitorability the 
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complexity is wide open: we only know that is PSPACE-hard and that it can be 
solved in EXPSPACE. 

1 Preliminaries 

We assume that the reader is familiar with the basic facts about automata theory 
for infinite words as it is exposed in the survey [53]. In our paper E denotes a 
finite nonempty alphabet. We let S* (resp. be the set of finite (resp. infinite) 
words over E. Usually, lower case letters like a, b, c denote letters in E, u,z 
denote finite words, 1 is the empty word, and a, /3, 7 denote infinite words. By 
language we mean a subset L C E‘^. The complement of L w.r.t. 57“ is denoted 
by L'°. Thus, \ L. 

A Biichi automaton (BA for short) is a tuple A = (Q, E, 6,1, F) where Q is 
the nonempty finite set of states, / C Q is the set of initial states, F C Q is the 
set of final states, and SCQxExQis the transition relation. The accepted 
language L{A) is the set of infinite words a G E‘^ which label an infinite path 
in A which begins at some state in I and visits some state in F infinitely often. 
Languages of type L(A) are called uj-regular. 

If for each p G Q and a G E there is at most one q G Q with (p, a, q) G S, then 
A is called deterministic. We write DBA for deterministic Biichi automaton. In a 
DBA we view 5 as a partially defined function and we also write p-a = q instead 
of {p, a, q) G 6. Frequently it is asked that a DBA has a unique initial state. 
This is not essential, but in order to follow the standard notation (Q, E, S, qo, F) 
refers to a BA where / is the singleton {go}- 

A deterministic weak Biichi automaton {DWA for short) is a DBA where all 
states in a strongly connected component are either final or not final. Note that 
a strongly connected component may have a single state because the underlying 
directed graph may have self-loops. A language is accepted by some DWA if and 
only if it is deterministic and simultaneously codeterministic. The result is in 
[5T] which in turn is based on previous papers by Staiger and Wagner |55| and 
Wagner [25] . 

According to m a monitor is a finite deterministic transition system M 
with at most two distinguished states T and T such that for all states p either 
there exist a path from p to T, or to T, or to both. It is a monitor for an 
uj-language L C E'^ if the following additional properties are satisfied: 

— If M denotes the label of a path from an initial state to T, then uE‘^ n L = 0. 

~ If u denotes the label of a path from an initial state to T, then uE‘^ C L. 

A language L C 17“ is called monitorable if there exists a monitor for L. Thus, 
even non regular languages might be monitorable. If a property is monitorable, 
then the following holds: 

Vx : xwE^ C L V xwE"^ n L = 0 . (1) 

The condition in Q is not sufficient for non-regular languages: indeed consider 
L = {a” 6 "a | n G N}17“. There is no finite state monitor for this language. 
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In the present paper, the focus is on monitorable w-regular languages. For cu- 
regular languages Q is also sufficient; and Remark]^ below shows an equivalent 
condition for monitorability (although stronger for non-regular languages). 

The common theme in “automata on infinite words” is that finite state de¬ 
vices serve to classify w-regular properties. The most prominent classes are: 

— Deterministic properties: there exists a DBA. 

— Deterministic properties which are simultaneously codeterministic: there 

exists a DWA. 

— Safety properties: there exists a DBA where all states are final. 

— Cosafety properties: the complement is a safety property. 

— Liveness properties: there exists a BA where from all states there is a path 

to some final state lying in a strongly connected component. 

— Monitorable properties: there exists a monitor. 

According to our definition of a monitor, not both states T and T need to be 
defined. Sometimes it is enough to see T or T. For example, let 0 ^ L ^ 
be a safety property and A = (Q, S, 6,1, Q) be a DBA accepting L where all 
states are final. Since 0 L we have 7^0. Since L ^ E‘^, the partially defined 
transition function S is not defined everywhere. Adding a state T as explained 
above turns A into a monitor A4 for L where the state space is Q U {-L}. There 
is no need for any state T. The monitor A4 also accepts L. This is however not 
the general case. 

2 Topological properties 

A topological space is a pair (X, O) where X is a set and O is collection of 
subsets of X which is closed under arbitrary unions and finite intersections. In 
particular, 0, AT S O. A subset L G O is called open; and its complement X \ L 
is called closed. 

For L C X we denote by L the intersection over all closed subsets K such 
that L C 77 C AT. It is the closure of L. The complement X \ L is denoted by 
L^°. 

A subset L C X is called nowhere dense if its closure L does not contain any 
open subset. The classical example of the uncountable Cantor set C inside the 
closed interval [0,1] is nowhere dense. It is closed and does not have any open 
subset. On the other hand, the subset of rationals Q inside K (with the usual 
topology) satisfies Q = M. Hence, Q is “dense everywhere” although Q itself 
does not have any open subset. 

The boundary of L is sometimes denoted as S{L); it is defined by 

5{L) = L f^L^. 

In a metric space B{x, 1/n) denotes the ball of radius 1/n. It is the set of y 
where the distance between x and y is less than 1/n. A set is open if and only 
if it is some union of balls, and the closure of L can be written as 

^ = n U B{xA/n). 

n>l X^L 
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In particular, every closed set is a countable intersection of open sets. Following 
the traditional notation we let F be the family of closed subsets and G be the 
family of open subsets. Then F^- denotes the family of countable unions of closed 
subsets and Gs denotes the family of countable intersections of open subsets. We 
have just seen F C Gs, and we obtain G C by duality. Since Gs is closed 
under finite union, Gs H F„ is Boolean algebra which contains all open and all 
closed sets. 

In this paper we deal mainly with w-regular sets. These are subsets of 
and 17“ is endowed with a natural topology where the open sets are defined by 
the sets of the form WE‘^ where IF C F*. It is called the Cantor topology. The 
Cantor topology corresponds to a complete ultra metric space: for example, we 
let d{a,P) = 1/n for a,/? G 17“ where n — I G N is the length of a maximal 
common prefix of a and f3. (The convention is 0 = l/oo.) 

The following dictionary translates notation about w-regular sets into its 
topological counterpart. 

~ Safety = closed sets = F. 

~ Cosafety = open sets = G. 

— Liveness = dense = closure is . 

— Deterministic = Gs, see m- 

— Codeterministic = F^r, by definition and the previous line. 

— Deterministic and simultaneously codeterministic = Gs C Fcr, by definition. 

— Monitorable = the boundary is nowhere dense, see |3]. 

Monitorability depends on the ambient space X. Imagine we embed M into 
the plane in a standard way. Then K is a line which is nowhere dense in 
As a consequence every subset L C M is monitorable in The same 
phenomenon happens for w-regular languages. Consider the embedding of {a, &}“ 
into {a, &, c}“ by choosing a third letter c. Then {a, 5}“ is nowhere dense in 
{a, 5, c}“ and hence, every subset L C {a, 6}“ is monitorable in {a, &, c}“. The 
monitor has 3 states. One state is initial and by reading c we switch into the state 
T. The state T can never be reached. In some sense this 3-state minimalistic 
monitor is useless: it tells us almost nothing about the language. Therefore the 
smallest possible monitor is rarely the best one. 

Remark 1. In our setting many languages are monitorable because there exists 
a “forbidden factor”, for example a letter c in the alphabet which is never used. 
More precisely, let L C 17“ be any subset and assume that there exists a finite 
word f G E* such that either E*fS‘^ C L or E* fE‘^ C L = 0. Then L is 
monitorable. Indeed, the monitor just tries to recognize E* fE‘^. Its size is |/| +2 
and can be constructed in linear time from / by algorithms of Matiyasevich m 
or Knuth-Morris-Pratt [5]. 

3 Constructions of monitors 

Remark [2 emphasizes that one should not try simply to minimize monitors. The 
challenge is to construct “useful” monitors. In the extreme, think that we encode 
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a language L in printable ASCII code, hence it is a subset of {0,1}*. But even 
in using a 7-bit encoding there were 33 non-printable characters. A monitor can 
choose any of them and then waits patiently whether this very special encoding 
error ever happens. This might be a small monitor, but it is of little interest. It 
does not even check all basic syntax errors. 

3.1 Monitors for tu-regular languages in Gs H F„ 

The w-regular languages in GsC\F^ are those which are deterministic and simulta¬ 
neously codeterministic. In every complete metric space (as for example the Can¬ 
tor space S^) all sets in G^nFo- have a boundary which is nowhere dense. Thus, 
deterministic and simultaneously codeterministic languages are monitorable by 
a purely topological observation, see [4]. 

Recall that there is another characterization of w-regular languages in GsC\F^ 
due to Staiger, [^. It says that these are the languages which are accepted by 
some DWA, thus by some DBA where in every strongly connected component 
either all states are final or none is final. 

In every finite directed graph there is at least one strongly connected com¬ 
ponent which cannot be left anymore. In the minimal DWA (which exists and 
which is unique and where, without restriction, the transition function is totally 
defined) these end-components consist of a single state which can be identified 
either with T or with T. Thus, the DWA is itself a monitor. Here we face the 
problem that this DWA might be very large and also too complicated for useful 
monitoring. 

3.2 General constructions 

Let w G S* be any word. Then the language L = wS^ is clopen meaning si¬ 
multaneously open and closed. The minimal monitor for wE‘^ must read the 
whole word w before it can make a decision; and the minimal monitor has ex¬ 
actly licl -|- 2 states. On the other hand, its boundary, L n is empty and 
therefore nowhere dense. This suggests that deciding monitorability might be 
much simpler than constructing a monitor. For deciding we just need any DBA 
accepting the safety property L n . Then we can see on that particular DBA 
whether L is monitorable, although this particular DBA might be of no help for 
monitoring. Phrased differently, there is no bound between the size of a DBA 
certifying that L is monitorable and the size of an actual monitor for L. 

Indeed, the standard construction for a monitor Ml is quite different from 
a direct construction of the DBA for the boundary, see for example [1]. The 
construction for the monitor Ml is as follows. Let L C be monitorable 
and given by some BA. First, we construct two DBAs: one DBA with state 
set Qi, for the closure L and another one with state set Q 2 for the closure of 
the complement . We may assume that in both DBAs all states are final 
and reachable from a unique initial state qoi and < 702 , respectively. Second, let 
Q' = QiX Q 2 . Now, if we are in a state (p, q) G Q' and we want to read a letter 
a € E, then exactly one out of the three possibilities can happen. 
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1. The states p-a and q-a are defined, in which case we let (p, q)-a = {p-a, q-a). 

2. The state p • a is not defined, in which case we let (p, g) • a = T. 

3. The state g • a is not defined, in which case we let (p, g) • a = T. 

Here T and T are new states. Moreover, we let g-a = g for g € {T, T} and a G U. 
Hence, the transition function is totally defined. Finally, we let Q C Q' \J {T, T} 
be the subset which is reachable from the initial state (goi,go 2 )- Since L is 
monitorable, Q n {T, T} 0; and Q defines a set of a monitor Ml- Henceforth, 
the monitor Ml above is called a standard monitor for L. The monitor has 
exactly one initial state. From now on, for simplicity, we assume that every 
monitor M has exactly one initial state and that the transition function is totally 
defined. Thus, we can denote a monitor as a tuple 

M = iQ,S,S,qo,MT). (2) 

Here, S : Q x E ^ Q, {p, a) i-G p • a is the transition function, go is the unique 
initial state, T and T are distinguished states with Q n {T, T} ^0. 

Definition 1. Let M = {Q,E,6,qo,J-,T), M' = (Q', E,S',qQ, ±,T) be moni¬ 
tors. A morphism between M and M! is mapping p : QU{T,T} —>■ (5'U{T,T} 
such that p(go) = go, p(T) = T, p(T) = T, and p(p ■ a) = p(p) ■ a for all p G Q 
and a G S . 

If p is surjective, then p is called an epimorphism. 

Another canonical monitor construction uses the classical notion of right- 
congruence. A right-congruence for the monoid S* is an equivalence relation ~ 
such that a; ~ p implies xz ~ yz for all x,y,z G S*. There is a canonical right- 
congruence '^L associated with every w-language L C for x G S* denote 
by L{x) = {a G 27“ | xa G L} the quotient of L by x. Then defining by 
X '^L y L{x) = L{y) yields a right-congruence. More precisely, S* acts 

on the set of quotients Ql = {L{x) \ x G 27*} on the right, and the formula for 
the action becomes L{x) ■ z = L{xz). Note that this is well-defined. This yields 
the associated automaton EH Section 2]. It the finite deterministic transition 
system with state set Ql and arcs {L{x), a, L(xa)) where x G 27* and a G S. 

There is a canonical initial state L = L(l), but unlike in the case of regular 
sets over finite words there is no good notion of final states in Ql for infinite 
words. The right congruence is far too coarse to recognize L, in general. For ex¬ 
ample, consider the deterministic language L of “infinitely many a’s” in {a, 6}“. 
For all x we have L = Lix), but in order to recognize L we need two states. 

It is classical that if L is w-regular, then the set Ql is finite, but the converse 
fails badly EH Section 2]: there are uncountably many languages where |Ql| = 1. 
To see this define for each a G 27“ a set 

La = {P G 27“ I a and /3 share an infinite suffix}. 

All La are countable, but the union {La \ a G 27“} covers the uncountable 
Cantor space 27“. Hence, there are uncountably many La- However, |Qlq| = 1 
since La(x) = La for all x. 
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Recall that a monitor is a DBA where the monitoring property is not defined 
using final states, but it is defined using the states _L and T. Thus, a DBA with 
an empty set of final states can be used as a monitor as long as _L and T have 
been assigned and the required properties for a monitor are satisfied. 

Proposition 1. Let L C be ui-regular and monitorable. Assume that L is 
accepted by some BA with n states. As above let Qi^ = {L(x) | x G if*} and 
denote _L = 0 and T = . Then \Ql\ < 2" and Ql U {T,_L} is the set of 
states for a monitor for L. At least one of the states in {T, _L} is reachable from 
the initial state L = L{1). 

The monitor in Proposition!^ with state space Ql is denoted by Al henceforth. 
We say that Al is the right-congruential monitor for L. 

Proposition 2. Let A be the right-congruential monitor for L. Then the map¬ 
ping 

L{x) I—>■ ip{L{x)) = {L (x), L‘^° (x)) 

induces a canonical epimorphism from Al onto some standard monitor Ml- 

Proof. Observe that L {x) = L{x) and L'^°{x) = L{xY°. Hence, {L (x), L'^° (x)) = 
{L{x ), L{xY°) and ip{L{x)) is well-defined. Now, if L{x) ^0 and L'° (x) Y 0: 
then (p{L{x)) £ Q where Q is the state space of the standard monitor M. If 
L {x) = 0 then we can think that all (0,L'^‘’(x)) denote the state T; and if 
L'^° (x) = 0 then we can think that all (L (x), 0) denote the state T. □ 

Corollary 1. Let L C be monitorable and given by some BA with n states. 
Then some standard monitor A4 l for L has at most 2" states. 

Proof. Without restriction we may assume that in the BA (Q, E, 6, /, F) accept¬ 
ing L every state q G Q leads to some final state. The usual subset construction 
leads first to a DBA accepting L , where all states are final and the states of 
this DBA are the nonempty subsets of Q. Thus, these are 2” — 1 states. Adding 
the empty set 0 = T we obtain a DBA with 2" states where the transition 
function is defined everywhere. If the complement L‘^° is dense, this yields a 
standard monitor. In the other case we can use the subset construction also 
for a DBA accepting L‘^° . In this case we remove all subsets P C Q where 
L{Q, E,S, P, F) = E'^. (Note, for all a G A we have: if L{Q, E,S, P, F) = E^ 
and P' = {q £ Q \ 3p £ P : {p, a, q) £ 5}, then L{Q, E, 6, P', F) = E^, too.) 
Thus, if L'^° is not dense, then the construction for a standard monitor has at 
most 2" — 2 states of the form (P, P) where % Y P L{Q^ <5, P, F) Y ■ 
In addition there exists the reachable state T and possibly the state T. □ 

Proposition leads to the question of a canonical minimal monitor, at least 
for a safety language where a minimal accepting DBA exists. The answer is “no” 
as we will see in Example [plater. 

Let us finish the section with a result on arbitrary monitorable subsets of E'^ 
which is closely related to [20l Lemma 2]. Consider any subset L C E'^ where 





the set of quotients Ql = {L{x) \ x S S*} is finite (=“zustandsendlich” or 
“finite state” in the terminology of [10]). If Ql is finite, then L is monitorable 
if and only if the boundary is nowhere dense. In every topological space this 
latter condition is equivalent to the condition that the interior of L is dense in 
its closure L. Translating Staiger’s result in [10] to the notion of monitorability 
we obtain the following fact. 

Proposition 3. Let L C 17“ be any monitorable language and let M be a mon¬ 
itor for L with n states. Then there exists a finite word w of length at most 
(n — I)^ such that for all x G 17* we have either xwE^ C L or xwS‘^ H L = 0. 

Proof. We may assume that n > 1 and that the state space of Ai is included in 
{I,...,n — 1,_L,T}. Merging T and _L into a single state 0 we claim that there 
is a word w of length at most (n — 1)^ such that q ■ w = 0 for all 0 < g < n — 1. 
Since L is monitorable, there is for each q G {0,..., n — 1} a finite word Vg of 
length at most n — 1 such that q-Vg = 0. By induction on k we may assume that 
there is a word Wk of length at most k{n — 1) such that for each q G {0 ,... ,k} we 
have q ■ Wk = 0. (Note that the assertion trivially holds for A: = 0.) If fc > n — I 
we are done: w = Wn-i- Otherwise consider the state g = fc + 1 and the state 
p — q ■ Wk. Define the word Wk+i by Wk+i = WkVp. Then the length of Wk+i is 
at most (fc + I)(n — I). Since Wk is a prefix of Wk+i and since 0 • ?; = u for all v, 
we have q ■ Wk+i = 0 for all 0 < g < A: + 1. □ 

Remark 2. The interest in Proposition is that monitorability can be charac¬ 
terized by a single alternation of quantifiers. Instead of saying that 

Vx (Vo : xwa G L)\/ (Vo : xwa ^ L) 


it is enough to say 


3u>Vx (Vo : xwa € L) V (Va : xwa ^ L). 

The length bound (n — I)^ is not surprising. It confirms Cerny’s Conjecture in 
the case of monitors. (See [23] for a survey on Cerny’s Conjecture.) Actually, in 
the case of monitors with more than 3 states the estimation of the length of the 
“reset word” is not optimal. For example in the proof of Proposition we can 
choose the word Vi to be a letter, because there must be a state with distance 
at most one to 0. The precise bound is ("J^) = (n + l)n/2 if the alphabet is 
allowed to grow with n na Theorem 6.1]. If the alphabet is fixed, then the lower 
bound for the length of w is still in n^/4 -|- I7(n) [T3] . 

4 Monitorable deterministic languages 

The class of monitorable languages form a Boolean algebra and every w-regular 
set L can be written as a finite union L = \ AT^ where the Li and Ki 

are deterministic w-regular, [23] . Thus, if L is not monitorable, then one of the 
deterministic Li or Ki is not monitorable. This motivates to study monitorable 
deterministic languages more closely. 
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Definition 2. Let L C he deterministie ui-regular. A deterministic Biichi 
monitor (^DBM for short) for L is a tuple 

where A = {Q, S, S, qo, F) is a DBA with L = L{A) and where (Q, S, S, go, -L, T) 
is a monitor in the sense of Equation @ for L. 

The next proposition justifies the definition. 

Proposition 4. Let L C 17“ he any subset. Then L is a monitorable determin¬ 
istic bj-regular language if and only if there exists a DBM for L. 

Proof. The direction from right to left is trivial. Thus, let L be monitorable and 
let L = L{A) for some DBA A = (Q, E, S, qo, F) where all states are reachable 
from the initial state qo. For a state p G Q let L{p) = L{Q, S, 6,p, F). If L{p) = 0, 
then L{p • a) = 0; and if L{p) = i7“, then L{p ■ a) = 17“. Thus, we can merge 
all states p with L{p) =0 into a single non-final state T; and we can merge all 
all states p with L{p) = i7“ into a single final state T without changing the 
accepted language. All states are of the form qo ■ x for some x G E*-, and, since 
L is monitorable, for each x either there is some y with xyE‘^ H L = 0 or there 
is some y with xyE^ C L (or both). In the former case we have qo ■ xy = E and 
in the latter case we have qo ■ xy = T. □ 

Corollary 2. Let L C ^7“ be a monitorable deterministic oj-regular language 
and A he a DBA with n states aecepting L. Let B be a DBM for L with state set 
Qb where the size of Qb is as small as possible. Let further Q-jz (resp. Qm) be 
the state set of the congruential (resp. smallest standard) monitor for L. Then 
we have 

n > \Qb\ > \Q'R.\ > \Qm\ ■ 

Example 1. Let E = {a, b} and F = {a, b, c, d}. 

1. For n G N consider L = a'^bE'^ \ E*bbE‘^. It is a safety property. Hence, we 
have L = L. Moreover, E*bbE‘^ is a liveness property (i.e., dense). Hence 
L'^° = 17“. It follows that the standard monitor is just the minimal DBA 
for L augmented by the state T. There are exactly n -I- 4 right-congruence 
classes defined by prefixes of the words a”6a and o"6^. We have L(a”6^) = 0. 
Hence reading a”6^ leads to the state T. This, shows that the inequalities 
in Corollary become equalities in that example. On the other hand 6^ is a 
forbidden factor for L. Hence there is a 3 state monitor for L. Still there is 
no epimorphism from the standard monitor onto that monitor, since in the 
standard monitor we have L{a'^~^^) — 0 but in the 3-state monitor T has not 
an incoming arc labeled by a. 

2. Every monitor for the language E*{bab\J b^)E'^ has at least 4 states. There 
are three monitors with 4 states which are pairwise non-isomorphic. 
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3. Let L = {b*a)^ U {a,b}*c{a,b,c}‘^ C r‘^. Then L is monitorable and de¬ 
terministic, but not codeterministic. Its minimal DBM has 4 states, but the 
congruential monitor Q-ji has 3 states, only. We have L = {a, b, c}‘^ and 
j^co — pui ^ Hence, the smallest standard monitor has two states. In partic¬ 
ular, we have \Qb\ > \Q'r\ > \Qm\^ see also Figure 



Fig. 1. Monitors B, TZ, M tor L — L{B). 


II 










5 Deciding liveness and monitorability 

5.1 Decidability for Biichi automata 

It is well-known that decidability of liveness (monitorability resp.) is PSPACE- 
complete for Biichi automata. The following result for liveness is classic, for 
monitorability it was shown in [5]. 

Proposition 5. The following two problems are PSPACE-compZete; 

— Input: A Biichi automaton A = {Q, I, F)- 

— Question 1 : Is the accepted language L{A) C live? 

— Question 2: Is the accepted language L{A) Q monitorable? 

Proof. Both problems can be checked in PSPACE using standard techniques. We 
sketch this part for monitorability. The procedure considers, one after another, 
all subsets P such that P is reachable from / by reading some input word. Eor 
each such P the procedure guesses some P' which is reachable from P. It checks 
that either L{A') = 0 or L{A') = , where A' = (Q, A, <5, P', F). If both tests 

fail then the procedure enters a rejecting loop. 

If, on the other hand, the procedure terminates after having visited all P, 
then L{A) is monitorable. 

Eor convenience of the reader we show PSPACE-hardness of both problems 
by adapting the proof in [5]. 

We reduce the universality problem for non-deterministic finite automata 
(NEA) to both problems. The universality problem for NFA is well-known to be 
PSPACE-complete. 

Start with an NFA A = (Q', P, 5', qo, F') where P 7 ^ 0. We use a new letter 
b ^ F and we let A = P U { 6 }. 

We will construct Biichi automata Bi and B 2 as follows. We use three new 
states d, e, / and we let Q = Q' U {d, e, /}, see Figure ??. The initial state is the 
same as before: qq. Next, we define S. We keep all arcs from S' and we add the 
following new arcs. 

— q —^ d e e for all q G Q' \ F' and all a G F. 

— e —d —d 

— q —^ f for all q G F' and all c S A. 

Let us define two final sets of states: Pi = {/} and P 2 = {d,f}. Thus, we 
have constructed Biichi automata Bi and B 2 where 

B, = {Q,r,S.qo,Fi) for z = l, 2 . 

For the proof of the proposition it is enough to verify the following two claims 
which are actually more precise than needed. 

1. The language L{Bi) is monitorable. It is live if and only if L{A) = F*. 

2. The language L{B 2 ) is live. It is monitorable if and only if L{A) = F*. 


12 



Fig. 2. PSPACE-hardness for liveness and monitorability for Biichi automata. 


If L{A) = r*, then we have L{Bi) = L{B2) = , so both languages are live 

and monitorable. 

If L{A) ^ r* , then there exists some word u ^ L{A) and hence reading ub 
we are necessarily in state d. It follows that ubS‘^ n L{Bi) = 0 and L{Bi) is 
not live. Still, L[Bi) is monitorable. Now, for all w G S* we have wb‘^ G ^(^82)- 
Hence, L{B2) is live. However, if u ^ L[A), then after reading ub we are in state 
d. Now, choose some letter a G F. For all v G S* we have ubva^ ^ L{B 2 ), but 
ubvb‘^ G L{B2)- Hence, if L{A) ^ F*, then L{B2) is not monitorable. □ 

5.2 Decidability for LTL 

We use the standard syntax and semantics of the linear temporal logic LTL for 
infinite words over some finite nonempty alphabet E. We restrict ourselves the 
pure future fragment and the syntax of LTLu [XU] is given as follows. 

(fi ::= T I a I | V v? | XU ip, 

where a ranges over E. The binary operator XU is called the next-until modality. 

In order to give the semantics we identify each Lp G LTL^; with some first- 
order formula ip{x) in at most one free variable. The identification is done as 
usual by structural induction. The formula a becomes a{x) = Pa{x), where 
Pa{x) is the unary predicate saying that the label of position x is the letter a. 
The formula ‘V neXt-Until ip” is defined by: 

((/? XU ip){x) = 3 z : (x < z A ip(z) A Vy : (p(y) V y < xV z < y). 

Finally let a G E‘^ be an infinite word with the first position 0, then we 
define a \= ip hy a \= i^(0); and we define 

L{y}) = {aG E‘^ \a'^<p}. 

Languages of type L{ip) are called LTL definable, It is clear that every LTL 
definable language is first-order definable; and Kamp’s famous theorem [8] states 
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the converse. In particular, given L{lp) there exists a BA A such that L({p) = 
L{A). There are examples where the size of the formula tp is exponentially smaller 
than the size of any corresponding BA A. 

For a survey on first-order definable languages we refer to [5] . By LTL decid¬ 
ability of a property V we mean that the input is a formula tp € LTL^ and we ask 
whether property V holds for L[ip). By Propositionj^we obtain straightforwardly 
the following lower and upper bounds for the LTL decidability of monitorability 
and liveness. 

Remark 3. The following two problems are PSPACE-hard and can be solved in 
EXPSPACE: 

— Input: A formula ip G LTLi;. 

— Question 1: Is the accepted language L{tp) C live? 

— Question 2: Is the accepted language L{tp) C monitorable? 

Remark is far from satisfactory since there is huge gap between PSPACE- 
hardness and containment in EXPSPACE. Very unfortunately, we were not able 
to make the gap any smaller for monitorability. There was some belief in the 
literature that, at least, LTL liveness can be tested in PSPACE, see for exam¬ 
ple [16] . But surprisingly this last assertion is wrong: testing LTL liveness is 
EXPSPACE-complete! 

Proposition 6. Deciding LTL liveness is EXPSPACE-complete: 

— Input: A formula ip G LTL^'. 

— Question Is the accepted language L(ip) C live? 

EXPSPACE-completeness of liveness was proved by Muscholl and Walukiewicz 
in 2012, but never published. Independently, it was proved by Orna Kupferman 
and Gal Vardi in m- 

We give a proof of Proposition!^ in Sections |5.3| and [5^ below. We also point 
out why the proof technique fails to say anything about the hardness to decide 
monitorability. Our proof for Proposition]^ is generic. This means that we start 
with a Turing machine M which accepts a language L{M) C E* in EXPSPACE. 
We show that we can construct in polynomial time a formula ip{w) G LTL^; such 
that 

w G L{M) L{ip{w)) C E^ is not live. 


5.3 Encoding EXPSPACE computations 

For the definition of Turing machines we use standard conventions, very closely 
to the notation e.g. in [7]. Let L = L{M) be accepted by a deterministic Turing 
machine M, where M has set of states Q and the tape alphabet is E containing 
a “blank” symbol B. We assume that for some fixed polynomial p{n) >n-\-2 the 
machine M uses on an input word w G {r\{B})* of length n strictly less space 
than 2^^ —2, where N = p{n). (It does not really matter that M is deterministic.) 
Configurations are words from r*{Q x r)r* of length precisely 2^, where the 
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head position corresponds to the symbol from Q x F. For technical reasons we 
will assume that the first and the last symbol in each configuration is B. Let 

^ = ru (g X r). 

If the input is nonempty word w = oi • • • a„ where the are letters, then 
the initial configuration is defined here as 

Co = B{qo,ai)a2 ■ ■ ■ a„ BBBBB ■ ■ ■ B^ . 

2^—n—l times 

For t > 0 let C* be configuration of M at time t during the computation 
starting with the initial configuration Cq on input w. We may assume that the 
computation is successful if and only if there is some t such that a special symbol, 
say Qf, appears in Ct- Thus, we can write each Ct as a word Ct = ao^t ■ ■ • Om,* 
with m = 2^ — 1; and we have w G L(M) if and only if there are some i > 1 
and t > 1 such that = Qf- 

In order to check that a sequence Cq, Ci, ... is a valid computation we may 
assume that the Turing machine comes with a table A C such that the 
following formula holds: 

Vt > 0 VI < i < 2^ — I : ai^t-h Oi+i.t-ii ai,t) V 

Without restriction we have {B, B, B, B) € A, because otherwise M would ac¬ 
cept only finitely many words. 

We may express that we can reach a final configuration Ct by saying: 

> 1 31 < z < 2'^ : = Qf- 

As in many EXPSPACE-hardness proofs, for comparing successive configura¬ 
tions we need to switch to a slightly different encoding, by adding the tape 
position after each symbol from A. To do so, we enlarge the alphabet A by 
new symbols 0,1, $, ^, fci ,.../cat which are not used in any Ct so far. Hence, 
E = A\J {0,1, $, #,/ci,.../ cat}. We encode a position 0 < z < 2-^^ by us¬ 
ing its binary representation with exactly N bits. Thus, each z is written as 
a word bin(z) = bi- ■ - where each bp € {0,1}. In particular, bin(O) = O'^, 
bin(I) = O^-^I, ..., bin(2^ - 1) = 1^- 

Henceforth, a configuration Ct = ao,t • • • with m = 2^ — 1 is encoded as 
a word 

Ct = ao.t bin(O) • • • am,t bin(TO)$. 

Words of this form are called stamps in the following. Each stamp has length 
2^ . TV -p 1. If a factor bin(z) occurs, then either i = m (i.e., bin(z) = I'^) and 
the next letter is $ or z < m and the next letter is some letter from the original 
alphabet A followed by the word bin(z -|- I). 

Now we are ready to define a language L = L{w) which has the property 
that L is not live if and only if z« € L{M). We describe the words a G E‘^ which 
belong to L as follows. 

1. Assume that a does not start with a prefix of the form cq • • • where cq 
corresponds to the initial configuration w.r.t. zc, each ct is a stamp and in 
the stamp ct the symbol qj occurs. Then a belongs to L. 
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2. Assume now that a starts with a prefix Cq • • • as above. Then we let 
a belong to L if and only if the set of letters occurring infinitely often in 
a witness that the prefix cq • • • of stamps is not a valid computation. 
Thus, we must point to some t > 1 and some position 1 < i < m such 
that ^ A. The position i is given as bin(j) = 

bi- ■ - bN £ {0,1}^. The string bin(i) defines a subset of E: 

^ • 7 I bp — 1}. 

The condition for a to be in L is that for some t the mistake from Ct-i to 
Ct is reported by ^ the position i such 

that I(i) equals the set of letters kp which appear infinitely often in a. Note 
that since we excluded mistakes at positition i = 0 (because of the leftmost 
S), the set I{i) is non-empty. 

Lemma 1. The language L = L(w) is not live if and only if w £ L{M). 

Proof. First, let w £ L(M). Then we claim that L is not live. To see this let 
u = Co ■ ■ ■ ciff, where the prefix cq • • • is a valid accepting computation of M. 
There is no mistake in cq • • • c^. Thus we have uS^ H L = 0, so indeed, L is not 
live. 

Second, let w ^ L{M). We claim that L is live. Consider any u £ E*. 
Assume first that u does not start with a prefix of the form cq ■ ■ ■ cgff, where cq 
corresponds to the initial configuration w.r.t. w, each Ct is a stamp and in the 
stamp Cl the symbol qf occurs. Then we we have uE^ C L. 

Otherwise, assume that Cq • • • ciff is a prefix of u and that all cfs are stamps, 
with Co initial and ci containing qj. There must be some mistake in cq • • • ciff, 
say for some i and t. Let I{i) be as defined a above. As i > 1 we have I{i) ^ 
0. Therefore we let /3 be any infinite word where the set of letters appearing 
infinitely often is exactly the set I{i). By definition of L we have u/3 £ L. Hence, 
L is live. □ 

There are other ways to encode EXPSPACE computations which may serve 
to prove Proposition]^ see for example [lO]. However, these proofs do not re¬ 
veal any hardness for LTL monitorability. In particular, they do not reveal EX¬ 
PSPACE or EXPTIME hardness. For our encoding this can made very precise. 

Remark 4- Since are interested in EXPSPACE-hardness, we may assume that 
there infinitely many w with w ^ L{M). Let n be large enough, say n > 3 and 
w L{M), then (H, (go, ai), 02 , g/) ^ A, where w = 0102 • • • because otherwise 
w £ L{M). Define ci just as the initial stamp cq with the only difference that 
the letter (go,ai) is replaced by the symbol g/. Let u = cqCi#, then for every 
V £ E* we have that uv(kj\i)‘^ £ L (i.e., there is a mistake at position 1), but 
uv(kik 2 • • ■ kjqY n L = 0 (i.e., there is no mistake at position 2^ — 1) because 
{B,B,B,B) £ A. Thus, L is not monitorable. 
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5.4 Proof of Proposition 1^ 

LTL liveness is in EXPSPACE by Remark The main ideas for the proof are 
in the previous subsection. We show that we can construct in polynomial time 
on input w some ip S LTL^ such that L{ip) = Liw). This can be viewed as 
a standard exercise in LTL. The solution is a little bit tedious and leads to a 
formula of at most quadratic size in n. The final step in the proof is to apply 
Lemma [T] □ 

6 Conclusion and outlook 

In the paper we studied monitorable languages from the perspective of what is 
a “good monitor”. In some sense we showed that there is no hnal answer yet, 
but monitorability is a field where various interesting questions remain to be 
answered. 

Given an LTL formula for a monitorable property one can construct monitors 
of at most doubly exponential size; and there is some indication that this is the 
best we can hope for, see [2]. Still, we were not able to prove any hardness for 
LTL monitorability beyond PSPACE. This does not mean anything, but at least 
in theory, it could be that LTL monitorability cannot be tested in EXPTIME, 
but nevertheless it is not EXPTIME-hard. 

There is also another possibility. Deciding monitorability might be easier 
than constructing a monitor. Remember that deciding monitorability means to 
test that the boundary is nowhere dense. However we have argued that a DBA 
for the boundary does not give necessarily any information about a possible 
monitor, see the discussion at the beginning of Section [3^ 

A more fundamental question is about the notion of monitorability. The 
definition is not robust in the sense that every language becomes monitorable 
simply by embedding the language into a larger alphabet. This is somewhat 
puzzling, so the question is whether a more robust and still useful notion of 
monitorability exist. 

Einally, there is an interesting connection to learning. In spite of recent 
progress to learn general w-regular languages by [T] it not known how to learn a 
DBA for deterministic w-regular languages in polynomial time. The best result 
is still due to Maler and Pnueli in [T3]. They show that it is possible to learn a 
DWA for a w-regular language L in H in polynomial time. The queries to 
the oracle are membership question € L?” where u and v are finite words 
and the query whether a proposed DWA is correct. If not, the oracle provides a 
shortest counterexample of the form 

Since a DWA serves also as a monitor we can learn a monitor the very same 
way, but beyond Gs H it is not known that membership queries to L and 
queries whether a proposed monitor is correct suffice. As a first step one might 
try find out how to learn a deterministic Biichi monitor in case it exists. This 
is a natural class beyond Gs H F^ because canonical minimal DBA for these 
languages exist. Moreover, just as for DWA this minimal DBA is an DBM, too. 
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Another interesting branch of research is monitorability in a distributed set¬ 
ting. A step in this direction for infinite Mazurkiewicz traces was outlined in 

0 . 
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